Secure HTTPS (HTTPS with mixed encryption, front-end Interview FAQ) Second article

Apple has determined that the communication mechanism in IOS9 uses HTTPS.

First article: http://www.cnblogs.com/ziyi--caolu/p/4742577.html

The previous article described in detail the two main ways to encrypt HTTP and encrypt http. Also interspersed, in my previous development process, the HTTP content to encrypt the knowledge. This article is mainly about the encryption of the communication process, that is, the HTTPS.

Simply put, actually HTTPS = HTTP + encryption + authentication + integrity Protection

In order to resolve the HTTP security issues mentioned in the previous article, we need to add the encryption processing and authentication mechanism to HTTP, which is called HTTPS with encryption and authentication mechanism.

When using HTTPS communication, it is no longer HTTP//, but https://

A, SSL (Secure Socket Layer) HTTP, that is, HTTPS

HTTPS is not a new protocol for the application layer, except that the HTTP communication interface is partially replaced with the SSL Protocol (TLS protocol). Typically, HTTP communicates directly with TCP. When SSL is used, HTTP is the first to communicate with SSL, and then by SSL and TCP. After using SSL, HTTP has HTTPS encryption, certificate, Integrity protection function, SSL is independent of the HTTP protocol, that is, not only the HTTP protocol, other applications running in the application layer of the Protocol, can use SSL.

B. Public key encryption technology for exchanging keys with each other

SSL is a cryptographic processing method called Public key encryption (the encryption algorithm in modern encryption method is public, and the key is confidential, encryption and decryption to use the key, no key, can not be decrypted, but if the key is obtained by the attacker, then the encryption will lose meaning).

1. The dilemma of shared secret key encryption

Encryption and decryption use the same key encryption method called Shared key encryption (symmetric key encryption). When encrypting in this way, the key must also be sent to the other party, the same, if you can ensure that the key can be safely reached, then the data can be safely arrived.

2. Use two keys to encrypt the public key

Public key encryption is a good way to solve the problem of shared key encryption. Public key encryption uses a pair of asymmetric keys. One is the private key (The secret key), and the public key (the public key), where the private key is not known to anyone, and public keys are free to advertise.

Encryption method:

Send the end of the cipher, use the other's public key for encryption processing, the other party receives the encrypted information, use the private key to decrypt the ciphertext.

In this way, you do not need to send the private key to decrypt. This solves the problem of shared secret key encryption.

3. HTTPS with a hybrid encryption mechanism

HTTPS uses a hybrid encryption mechanism with shared key encryption and public key encryption. If you want to secure your keys, consider using public key cryptography only. (Public key encryption is slower than shared-key encryption processing)

Therefore, we should make full use of the advantages of both, the combination of various methods to communicate: In the exchange of key link, using public key encryption technology (for example, from the client to the server, in such a secure communication, the client can be in the shared key encryption of the key in public key encryption of the key to encrypt, Sent to the server, and then the server uses the public key encryption technology to decrypt the private key, the shared secret key encryption technology to obtain the private key, and then set up a communication message exchange phase can use the shared key encryption technology.

Secure HTTPS (HTTPS with mixed encryption, front-end Interview FAQ) Second article